XSS: Cross-Site Scripting (Part 1)

When seeing those spam emails that prompt you to click on a not-so-shady link to win $10,000,000, you are aware enough (hopefully) to not fall for them, as doing so could get your financial information compromised. These emails just scream Spam! into your face and they’re easy to spot, so it’s usually easy to just ignore those pesky emails altogether.

However, there is a much subtler, sinister type of identity attack. What if you could get your identity compromised without having to click on a shady link? What if your identity could be stolen . . . without doing anything?

Many websites are not secured and leave bits of their code exposed to the liking of hackers worldwide. Hackers take advantage of these vulnerabilities and put very bad things into the unprotected code of a poorly-secured website. This type of website-based attacks is called Cross-Site Scripting.

Cross-Site Scripting is a type of phishing attack where a malicious person decides to insert bad code into a portion of the website’s vulnerable code. This bad code runs on the victim’s browser whenever the website’s URL is requested. The usual weapon of choice for a hacker using XSS is a client-side script, such as JavaScript.

In this scenario, let’s say this malicious person wants to steal the user’s cookie. At the same time, redirect them to Rick Astley’s Never Gonna Give You Up. In order for the hacker to carry out their malicious intents, they look for a poorly-secured website and infect the website’s HTML code with a script (command) that does bad things. Once a victim (you) loads the website, this bad code is transferred to your browser, which is then executed on their behalf.

The catch? The victim knows nothing.

The steps of the whole process are summarized below.

Step 1) Hacker infects the site. The hacker opens up their preferred browser and accesses the website’s vulnerable HTML code.

They then insert a malicious script into a block of the vulnerable code. In this case, the hacker wants to redirect every user to Rick Astley whenever they load the page. While the victim stares at the screen in confusion, the script will also steal their cookie for extraction.

This is what would happen, in pseudocode.

The hacker now waits for the prey.

Step 2) A victim loads the website after typing its URL.

Step 3) After loading the page, the victim gets the bad code. More specifically, the bad code gets onto their browser. Here, they get rickrolled. Slightly more problematically, their log-in information just got compromised without them knowing — as they stare in irritation at the video.

Step 4) The hacker’s server gets the user’s code, receiving their cookie! The hacker now knows everything that’s sensitive and forbidden about the user’s identity and activity on the site, and can now laugh to themselves as they blackmail the victim and ruin people’s lives since they have nothing better to do.

A more concise picture illustrating the architecture of a basic XSS attack is shown below:

Here is a short, comprehensive simplification of the steps:

1. Hacker puts bad code into the website
2. Victim loads website
3. Victim gets bad code
4. Hacker makes the victim’s browser execute bad code

The only medium between you and the hacker in an XSS attack would be one of your favorite websites.

The website simply acts as a container for that bad code. You could imagine that the vulnerable website acts as the “bridge” between the hacker and the victim. Once the unsuspecting victim crosses over the bridge, the hacker ambushes and mugs them. Like a cave troll, but scarier because you don’t know who’s “mugging” your identity.

Since XSS is such an easy type of phishing attack to carry through, it remains to be one of the most common forms of web exploitation. Check out this link of a story where the CIA got hacked by a bunch of angry Swedish people through means of XSS.

While the described steps above portray a general XSS attack, there are three primary categories of XSS attacks.

Types of XSS Attacks:

• Stored XSS
• Reflected XSS
• Dom-based XSS

Are you curious about these types of XSS Attacks, how they differ and account for specific website vulnerabilities? Stay in tune for Part Two on this mini-trilogy of XSS, which will discuss how each type of Cross-Site Scripting works and operates.

If you spot any misinformation or inaccuracies in this article, do not hesitate to send me a message correcting them. Any and all criticism is highly appreciated.

Sources:

What is Cross-site Scripting and How Can You Fix it?